What are the effective IAM permissions of this policy for group members?

The following IAM policy is attached to an IAM group.

This is the only policy applied to the group.

What are the effective IAM permissions of this policy for group members?
A . Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.
B . Group members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).
C . Group members are allowed the ec2 Stoplnstances and ec2. TerminateInstances permissions for all Regions when logged in with multi-factor authentication (MFA) Group members are permitted any other Amazon EC2 action.
D . Group members are allowed the ec2 Stoplnstances and ec2. Terminateinstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA) Group members are permitted any other Amazon EC2 action within the us-east-1 Region.

View Answer

Answer: D

Explanation:

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html

By default, AWS Identity and Access Management (IAM) users don’t have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they’ll need to use, and then attach those policies to the IAM users or groups that require those permissions.